Your submission was sent successfully! Close

CVE-2007-6303

Published: 10 December 2007

MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4 does not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement.

Notes

AuthorNote
jdstrand
patch from debian works on gutsy and feisty. On edgy and dapper
the test case fails (meaning the patch is incomplete).
Priority

Low

Status

Package Release Status
mysql-dfsg-5.0
Launchpad, Ubuntu, Debian
dapper
Released (5.0.22-0ubuntu6.06.8)
edgy
Released (5.0.24a-9ubuntu2.4)
feisty
Released (5.0.38-0ubuntu1.4)
gutsy
Released (5.0.45-1ubuntu3.3)
upstream
Released (5.0.45-5)